I’m a big believer in not living life in fear, but when we spend so much of our lives in this crazy online world these days, there’s certainly a need to practice ‘safe-surfing’ practices… And since this e-world is evolving so quickly, there are always new things to be aware of. Not necessarily afraid of, but certainly aware of!
First, my friend Karla sent me an email recently warning of a new online scam involving something called “URL Shorteners”. You can read the entire article over at Scambusters.org, but the gist of it is this:
URL shorteners are tools that were developed in recent years as URLs (Uniform Resource Locaters, aka web addresses) just kept getting more complicated and thus, longer. As you may have experienced, if you paste a long web address (URL) into an email, and it ends up flowing onto two lines, the entire URL might not work right anymore, as the part on the second line would often get removed from the part on the first line! Messy, messy, messy… Enter URL shorteners. Sites have sprung up all over, with names like tinyurl.com, bitly.com and goo.gl, among many others. I’ve been a big fan of shorteners for quite awhile now, for making nice short URLs in emails to clients (bitly being my current favorite). They’ve also gained popularity since they make it easy to post short URLs to services like Facebook and Twitter.
The problem, it seems, is that scammers are starting to use shorteners to direct people to malicious websites. According to the Scambusters.org site linked above, there are “three simple steps”one can take to avoiding URL shortener abuse:
1. Be wary of any link that appears to be the output of a URL shortener. Basically, if the address is very short, comes to you in an email or appears on a website yet doesn’t use recognizable words, it has probably been shortened.
2. If you have any doubts about the origin, copy and paste the link into one of the URL lengthening sites. For a fuller list than the ones we’ve provided, just initiate a web search for the words “URL lengthener.”
3. Ensure your Internet security software is up-to-date. That way, if you do land on a malicious page, your software should alert you and block any attempts to upload malware.
Their best advice, however, is good general web-surfing advice: pay attention to the web address that shows up in the location bar at the top of your web browser when you’re using the Internet! Use common sense to ensure that you’re on the site you think you are… In other words, if you think you’re on your Chase credit card website, make sure the first part of the address for the page you’re about to enter your username and password on is actually ‘chase.com’, and not just something close, like ‘cc.chase.com’. And if you’re not sure, try starting over from a known-good link in your bookmarks (or something as simple as ‘chase.com’)!!
Read more at the Scambusters website, and get in touch if you still have questions.
UPDATE: I Just found this site, with a great round-up of the relative security of 11 popular URL shortening services. All of the ones I know and use didn’t fare very well, so I’ll be trying these two from now on: cli.gs & safe.mn (probably the latter)!
Secondly, I read an article at arstechnica.com today about a security researcher who did a bunch of research into Facebook’s supposed privacy and security tools and found a method whereby “he could “friend” even allegedly more wary Facebook users in less than 24 hours.” Even scarier, by taking advantage of Facebook’s “Three Trusted Friends” password recovery feature, he found that “a hacker
can change both the password and the contact e-mail address for an account. The hacker could then use that hacked account for social engineering attacks on other accounts.” Apparently, a Facebook spokesperson “told Ars Technica by email that Neto’s approach is a clear violation of the company’s policies, and that Facebook encourages users to report any account they think may be using a false name.” Not exactly encouraging, from a security standpoint, eh??
At the very least, I urge any Facebook users reading this to disable the “Three Trusted Friends” feature, if you have it enabled.
I think the major lesson here (in both of these examples of online scams) is to be on your guard when surfing the Internet. Of course, there are lots of places where you probably don’t have to be too wary, but unfortunately, Facebook doesn’t appear to be one of them!!